CS/COE 1501 Recitation RSA Encryption/Decryption Extended Euclidean Algorithm Digital Signatures

RSA Encryption Say Alice wants to send a message to Bob Looks up Bob’s public key Convert the message into an integer: m Compute the ciphertext c as: c = me (mod n) Send c to Bob

RSA Decryption Bob can simply: Compute m as: m = cd (mod n) Convert m into Alice’s message

RSA Cryptosystem What are public/private keys? How are the messages encrypted? How are the messages decrypted? How are the keys generated? Why is it secure?

RSA Cryptosystem What are public/private keys? Public Key = (e, n) Private Key = (d, n) How are the messages encrypted? c = me (mod n) How are the messages decrypted? m = cd (mod n) How are the keys generated?

How are keys generated? 4. Choose e such that 1. Choose two (large) prime number p and q 2. Compute n = p * q 3. Compute φ(n) φ(n) = φ(p) * φ(q) = (p - 1) * (q - 1) 4. Choose e such that 1 < e < φ(n), GCD(e, φ(n)) = 1 i.e., e and φ(n) are co-prime 5. Determine d as d ≡ e-1 mod(φ(n))

An Example 4. Choose e such that 1. Choose two prime number p and q p=3, q=11 2. Compute n = p * q n=3*11=33 3. Compute φ(n) φ(n) = φ(p) * φ(q) = (p - 1) * (q - 1) φ(n)=(3-1)*(11-1)=20 4. Choose e such that 1 < e < φ(n), GCD(e, φ(n)) = 1 i.e., e and φ(n) are co-prime We can choose e=3, verify that 1<3< φ(n) =20, 3 and 20 are co-prime

An Example 5. Determine d as d ≡ e-1 (mod φ(n)) e * d ≡ 1 (mod φ(n)) Intuition, search from d=0, until e * d mod 20 = 1 We have already chosen e=3, here we choose d=7 We now get our Public Key and Private Key Public Key=(e,n)=(3,33) Private Key=(d,n)=(7,33)

An Example Encryption: c = me (mod n) Decryption: m = cd (mod n) Public Key=(e,n)=(3,33) Private Key=(d,n)=(7,33) Alice said “hello” 7, 4, 11, 11, 14 Encrypt msg: 73 mod 33, 43 mod 33, 113 mod 33, 113 mod 33, 143 mod 33 Encrypted msg: 13, 31, 11, 11, 5

An Example Encryption: c = me (mod n) Decryption: m = cd (mod n) Public Key=(e,n)=(3,33) Private Key=(d,n)=(7,33) Bob receive 13, 31, 11, 11, 5 Decrypt msg: 137 mod 33, 317 mod 33, 117 mod 33, 117 mod 33, 57 mod 33 Decrypt msg: 7, 4, 11, 11, 14 -> ‘hello’

Challenges LargeInteger Determine d as d ≡ e-1 (mod φ(n)) efficiently LargeInteger multiply(LargeInteger other) LargeInteger[] XGCD(LargeInteger other) LargeInteger modularExp(LargeInteger y, LargeInteger n) Determine d as d ≡ e-1 (mod φ(n)) efficiently Improve “search from d=0, until e * d mod 20 = 1”

Determine d d = e-1 mod(φ(n)) Means that e * d = 1 (mod φ(n)) Now, this can be equivalently stated as e * d = z * φ(n) + 1 For some z Can further restate this as: e * d - z * φ(n) = 1 Or similarly: 1 = φ(n) * (-z) + e * d How can we solve this? GCD(φ(n), e) = 1 ? ! Solve the GCD problem

Determine d GCD(a, b) = i = as + bt Let: a = φ(n) b = e s = -z t = d i = 1 GCD(φ(n), e) = 1 = φ(n) * (-z) + e * d We can compute d in linear time!

Extended Euclidean Algorithm The extended Euclidean algorithm also computes the GCD of integers a and b, but also computes the Bézout numbers, s and t which satisfy the Bézout identity: gcd 𝑎,𝑏 =𝑎∗𝑠+𝑏∗𝑡 We first walk through finding the GCD of a and b, then work backworks to find the Bézout numbers, s and t , for the original s and t. We will fill out the following table, first following the pattern that the b in each step will become the a in the row below. The remainder of a/b becomes the b in the row below.

Extended Euclidean Algorithm We know GCD(a,b)=GCD(b, a%b) Suppose we are computing the GCD(a,b) eq(1): a*x + b*y = gcd Suppose we already know the GCD(b, a %b), and we find x1 and y1 eq(2): b*x1+(a%b)*y1=gcd Associate the left hand sides of the two formulars (eq(1) and eq(2)) We know: a%b=a-(a/b)*b gcd= b*x1+(a-(a/b)*b)*y1 // LHS of eq(2) = b*x1+a*y1-(a/b)*b*y1 = a*y1+b*(x1-a/b*y1) // Compare the result to LHS of eq(1) RECURSIVE SOLUTION: x=y1 y=x1-a/b*y1 Stop condition: GCD(a, 0) = 0

Extended Euclidean Algorithm static int[] gcd(int p, int q) { if (q == 0) return new int[] { p, 1, 0 }; int[] vals = gcd(q, p % q); int d = vals[0]; int a = vals[2]; int b = vals[1] - (p / q) * vals[2]; return new int[] { d, a, b }; }

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 2 3 4 5 6

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 2 3 4 5 6

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 4 5 6

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 4 5 6

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 4 5 6

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 4 5 6

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 4 5 6

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 4 5 6

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 4 5 6

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 6 4 5

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 6 4 5

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 6 4 5

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 6 4 5

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 6 4 5

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 6 4 5

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 6 4 5

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 6 4 5

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 6 4 5 NaN

Extended Euclidean Algorithm We will now walk back up through the table, computing s and t for each step. The s in each row is set to the t from the row below. t is set according to the formula: Remember s and t are defined such that: gcd 𝑎,𝑏 =𝑎∗𝑠+𝑏∗𝑡 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 6 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 6 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 2 3 15 6 4 5 NaN Because d is the GCD of the two numbers (i.e. the last non-zero remainder) and: gcd 𝑎,𝑏 =𝑎∗𝑠+𝑏∗𝑡 We know that s and t will always be 1 and 0 in the bottom row (because a will be equal to d). 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 4 5 NaN Verify: gcd 𝑎,𝑏 =𝑎∗𝑠+𝑏∗𝑡 3= 6∗0 + 3∗1 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 4 -2 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 4 -2 5 NaN Verify: gcd 𝑎,𝑏 =𝑎∗𝑠+𝑏∗𝑡 3= 15∗1 + 6∗−2 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 4 -2 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 -2 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 -2 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 -2 4 5 NaN Verify: gcd 𝑎,𝑏 =𝑎∗𝑠+𝑏∗𝑡 3= 21∗−2 + 15∗3 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 -2 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 6 -2 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 2 15 -11 6 -2 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 -11 2 15 6 -2 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 -11 14 2 15 6 -2 4 5 NaN 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 -11 14 2 15 6 -2 4 5 NaN To check your work, verify: 99∗ −11 +78∗14=3 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Find the Bézout numbers and GCD of 99 and 78 Row a b a/b a%b d s t 1 99 78 21 3 -11 14 2 15 6 -2 4 5 NaN To check your work, verify: 99∗ −11 +78∗14=3 𝑡= 𝑠 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 − 𝑎 𝑏 ∗ 𝑡 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠

Exercise 5. Determine d as d ≡ e-1 (mod φ(n)) e * d ≡ 1 (mod φ(n)) Intuition, search from d=0, until e * d mod 20 = 1 We have already chosen e=3, here we choose d=7 Now using the Extended Euclidean Algorithm 1 = 20*s+3*t t->d

Hash Functions

For Crypto Hash Functions, Output Should Appear Random

Digital Signatures – Public Key Cryptography

Creating a Digital Signature

Digital Signatures Often Use Commutative Operations The order of Decryption and Encryption can be changed Sending message m together with the decrypted data D(m, k^-1) Using the public key k to verify message

Digital Signatures Often Use Commutative Operations

Digital Signatures Often Use Commutative Operations Plaintext sent by sender

Digital Signatures Often Use Commutative Operations Plaintext sent by sender Cryptotext sent by sender using sender’s private key

Digital Signatures Often Use Commutative Operations Plaintext sent by sender Cryptotext sent by sender using sender’s private key Sender’s public key

Digital Signatures Often Use Commutative Operations Plaintext sent by sender = Cryptotext sent by sender using sender’s private key Sender’s public key

Digital Signatures Often Use Commutative Operations Plaintext sent by sender = Plaintext recovered matches Cryptotext sent by sender using sender’s private key Sender’s public key

Digital Signatures and Hashes Because Public-Key crypto can be computationally expensive, often the crypto operations are performed on the securely hashed version of the message rather than the original: We do not apply the algorithm on the plaintext, but on the hashed version

Digital Signatures and Hashes Because Public-Key crypto can be computationally expensive, often the crypto operations are performed on the securely hashed version of the message rather than the original: HASH ALGORITHM Received:

Digital Signatures and Hashes Because Public-Key crypto can be computationally expensive, often the crypto operations are performed on the securely hashed version of the message rather than the original: HASH ALGORITHM Received:

Digital Signatures and Hashes Because Public-Key crypto can be computationally expensive, often the crypto operations are performed on the securely hashed version of the message rather than the original: HASH ALGORITHM Compute Received:

Digital Signatures and Hashes Because Public-Key crypto can be computationally expensive, often the crypto operations are performed on the securely hashed version of the message rather than the original: HASH ALGORITHM Compute = Received:

Digital Signatures and Hashes Because Public-Key crypto can be computationally expensive, often the crypto operations are performed on the securely hashed version of the message rather than the original: Match. Signature Verified. HASH ALGORITHM Compute = Received:

Acknowledgements Adam J. Lee’s slides from CS 1653 http://www.csee.umbc.edu/~chang/cs203.s09/exteuclid.shtml